Stop using USB sticks to move kids' data, auditor tells Education Dept
UK.gov told to sharpen up over handling of database with 20 million children's info
The Department for Education (DfE) needs to improve the way it handles the personal sensitive information of 20 million records contained in its National Pupil Database, according to the Government Internal Audit Agency (GIAA).
The findings were revealed in the department's annual accounts for 2014/15, which were published yesterday. The GIAA found the department's assurance over the scheme was "limited".
It said: "Whilst data governance and accountability was found to be generally effective, improvements could be made over: vetting and validation of applications to access the National Pupil Database, information retention procedures, data handling guidance and the use of USB memory sticks."
The National Pupil Database contains a range of sensitive information dating from the year 2000, including name, postcode, ethnicity, records on absence, reasons for exclusion, types of disability, and whether the pupil is a recipient of free school meals.
In 2013 the DfE agreed new arrangements for accessing the National Pupil Database. These allowed access to third parties for "the purpose of promoting the education or wellbeing of children in England while complying with the requirements of the Data Protection Act." A short consultation was held on the new arrangements.
In February this year it was revealed that DfE has since enlarged the mega-database containing sensitive personal pupil information to nearly 20 million individual records, according to a Freedom of Information response.
Jen Persson, coordinator of children’s privacy group defenddigitalme said: “The DfE freely gives out 20 million children’s confidential personal data directly to unaccredited third parties without the consent of parents or pupils. Parents must be told who has their children’s personal data, and why."
She added: “Parents are shocked to find out that when we give our children’s personal data to schools it means the DfE can suck it into a national database and hand it out to companies, charities and journalists.”
The Register has contacted the DfE for a comment. ®
Sponsored: Becoming a Pragmatic Security Leader